A Survey on Android Malwares and Their Detection Techniques

Introduction

Today Mobile Technology is being extensively used around the world. Since 2008 the usage of mobile technology is growing very fast. All the confidential and private information like photographs, videos, banking details etc are easily stored in the mobile.

Many mobiles are available with many operating systems. Android is an open source mobile operating system available in many smart phones. According to Google 1. 3 million Android Devices are being activated each day. According to the Gartner’s report Google’s Android captured total 82% of market in 2016. In the last quarter of 2016 total 432 million smart phones were sold out from which 352 million smart phones used Android operating system.

With the popularity of Android operating system it is also more prone to vulnerabilities and malicious attacks of malwares. According to the Google Android Security Report total 655 vulnerabilities were found in 2016. Total 316 vulnerabilities were found in Android operating system in 2017 which is more compared to any other operating system. According to Cisco’s report 98% of malwares target Android platform. So there is need for proper malware detection in this operating system. Malware threats are expected to increase with the extension of the functionality in mobile phones. There are many harmful applications that contain the malwares and put user’s data and device at risk. These applications contain malware categories like spyware, Trojans, phishing apps etc. There are various Android Malware Detection Techniques available for detecting malwares. In this paper the existing Android Malware Detection Techniques are compared to design more robust and efficient techniques.

Android Malware

The malware is any malicious program code either installs themselves or are installed on any device without user’s permission and performs the functions without user’s knowledg. The basic motive of the malware is to steal the confidential information from the smart phone, locking the smart phone, sending SMS/MMS, making calls to the premium numbers, share the information through GPS. According to the study there are various research projects are also undertaken to characterize various existing android malwares. A project named Android Malware Genome was undertaken to characterize existing android malwares. Another project named Android Drebin was also undertaken to enable a comparison of different malware detection approaches. Various data samples for Android Malwares are also available.

Based on the functionalities the Android Malwares can be categorized in different categories:

• Spyware
• Trojans
• Virus
• Phishing Apps
• Bot Process
• Root kits.

Spyware secretly steals the confidential information of the user from the mobile and sends it to a third party. It gathers information such as OS Version, IMEI, IMSI, device information.

Trojans are installed with the application and infect the user devices by performing malicious activities. They automatically hijack the browser, capture login information from other applications such as mobile banking etc. Trojans always need the user interaction. Virus is a malicious program code that generates multiple copies of it. The multiple copies get attached to other program files or any attachments and infect them.

Phishing Apps are installed in the devices through internet browsing from mobile devices. Phishing Techniques steal the user credentials and confidential data. Bot Process targets the mobile devices and gains complete access to the device and all its information and also provides the control to third party. Mobile botnets spread themselves by sending text messages or e-mails from the infected device to another device.

Root kits perform malicious activities in mobile devices by altering the operating system. This malware provides full administrator privileges to the third party. Trojans are used to plant root kits. According to the latest study the table represents list of top 10 Android Malware Families with their description and capabilities.

Based on the study the Android Malware Detection Analysis techniques are divided into three categories: Static Analysis, Dynamic Analysis and Hybrid Analysis. The taxonomy of existing Android Malware Detection techniques is also listed.

The main objective of the static analysis in mobile malwares is to check the permissions, source code of the application, components, resources and signatures. All the information regarding the application is resided in the APK file. Static analysis is performed using the APK file. The permissions, resources, code, services and all other information is extracted from the APK file and analyzed properly. There are various tools available for static analysis like apktool, aapt, dex2jar, jd-gui.

The static analysis techniques are as follows:

Signature/Pattern Based Static Analysis

The APK file contains specific signature. Every APK file has different signature. The signature contains the message digest of the APK file. If there is any change in the APK file then the message digest of the signature will also change and one can quickly analyse that the specific application is malicious. The signatures of the malwares can also be collected to identify the malwares quickly.

Resources Based Static Analysis

AndroidManifest. xml file is a resource file which contains all the information of the resources used in the application. Resources of an application contain user interfaces modules like widgets, menus, layout etc. The AndroidManifest. xml file is present in the APK file. Many malwares running in the background need user interaction from these user interfaces. So the user interface is also an important part to be analysed properly.

Components Based Static Analysis

The Android Application is divided in to several components like: Content Providers, Services, Intents, Activities and Broad Cast Receivers. The information of all these components is available in the AndroidManifest. xml file. Most of the malwares run in the form of background services and gain the information about intents, activities, Receivers. So analysis of these components is also very much important for recognizing malicious behaviour.

Permission Based Static Analysis

Android provides a permission based model for implementing inbuilt security. All the permissions are defined in AndroidManifest. xml file. The application has to request access permissions like contacts, messages, internet, gps, camera etc.

Permission plays an important role in any Android Application. A simple photo editing application if requests for a ‘READ_SMS’ permission than it depicts some malicious behaviour. So analysis of the permissions is also important for recognizing malicious behaviour.

Dynamic Analysis includes the behavioural analysis of the application. Dynamic features include system calls, network traffic, network flow, network address. It monitors the behaviour of the system. A few frameworks like Ananas, TaintDroid, DroidScope, CopperDroid are available performing dynamic analysis.

Hybrid Analysis is a combination of both Static and Dynamic Analysis of the application. The process starts from the static analysis. The static analysis checks the code, permissions, and components of the application. Then the dynamic analysis performs over all behaviour analysis of the application. There are only few frameworks like Mobile Sand Box, Andrubis that follows the Hybrid Approach.

Comparative study of Android malware detection techniques

In this section a detailed comparison is discussed between different Android Malware Detection Techniques. The following parameters are taken for comparison: Input, Analysis type, Data Set, Data Set Type, Data Set Source, Final Data Set Selection, Detection Rate, Reliability of Detection Rate and Proposed Approach.

Samaneh proposed a technique of Sensitivity feature analysis for detecting the Android Malwares. This technique divides the static features of classification based Android malwares detection techniques in some related categories and study influence using each category of features. Here manifest file is taken as an input and static analysis is performed. A final data set of 57 Malware samples is taken from Android Malgenome Project and 57 Good Applications are taken from Google Android Market. The detection rate is 98%.

Wonjoo proposed an Android Malware detection system for detection of SMiShing malicious attacks. SMiShing attacks includes sending of SMS and MMS. Malicious applications including SMS and MMS malwares are taken as input. Here static analysis is used. A final data set of 1200 Malware samples is taken from Android Malgenome Project. The data set of malware samples is selected from 10 Malware families. The detection rate is 100% as for each family there were 2 to 5 malicious applications tested and all the applications were detected.

Manzhi proposed a method named Intensive feature engineering for detecting Android Malwares. Here static analysis is performed. Firstly Android application is inspected statically and manifest, dex code are extracted. Then features are extracted from the files and embedded in a vector space. This embedded feature sets enables to detect malwares using techniques of machine learning. A final data set of 550 Malware samples from Android Drebin Project and 550 good samples were taken from Baidu Application Market. The data set of malware samples is selected from 16 Malware families. The detection rate is 98%.

Zi Wang proposed an Android Malware detection approach known as DroidDeepLearner. This approach uses deep learning algorithm to distinguish malicious android applications from the benign ones. Different Permissions and API call functions are taken as input. Here static analysis is used. A final data set of 4000 Malware samples and 2334 good samples is taken and the detection rate is 93%.

Zarni proposed a Machine Learning based Android Malware detection system. Firstly features are extracted from Android apk files. Then a dataset of extracted features is created from Android Applications in order to develop Android Malware detection framework. Validations of machine learning approaches are performed to achieve the accurate results. Here static analysis is used. A final data set of 500 Malware samples is taken and the detection rate is around 91%.

Xiong proposed a framework based on contrasting Permission pattern for Android Malware Detection. Contrasting permissions are used to characterize the different malwares and clean the application permissions. Certain classifiers are also introduced Here Hybrid analysis is used. A final data set of 298 Malware samples are taken from Android Malgenome Project and 342 good samples are taken from third party Android Application Markets like SlideME and Pandaapp. The detection rate is more than 90%.

Micheal proposed an automated system named RiskRanker which is used for zero-day Malware Detection. RiskRanker scalably analyses and exhibits the danger behaviour of the malwares. It performs first order analysis and then second order analysis for detecting the malicious behaviour. Android Applications are taken as an input by this system. Here static analysis is used. A final data set of 118, 318 applications is taken and the detection rate is also very good. Daniel proposed a system named Drebin for detecting Android Malwares. Drebin performs a static analysis by gathering many features of an application. These features are embedded in a joint vector space. With the embedded data set different patterns of malwares are identified. A final data set of 5560 Malware samples are taken from Malgenome Project and malware forums. A final data set of 123453 good samples are taken from Chinese Markets, Android Google Market, Russian Market, Security Blogs. The data set of malware samples is selected from top 20 Malware families. The detection rate is 94% as on installation of every 100 Applications it detects 94%. On average Drebin is able to analyse given applications in 10 seconds on 5 smart phones.

Takasama proposed a Kernel-based Behaviour Analysis system for detecting Android Malwares. This system consists of a log collector in the Linux Layer and a log analysis application. The log collector collects records all system calls. The log analyser matches activities with signatures with a regular expression to detect the malicious activity. Here dynamic analysis is used. A final data set of 230 Applications is taken from Android Google Market and out of that 64 applications were detected as malicious.

Shuang proposed a Permission combination based system named Droid Detective for detecting Android Malwares. This scheme is based on the permission combinations declared in the application manifest file. Rule sets are generated based on permission combinations for malware detection. Here static analysis is used. A final data set of 1260 Malware samples is taken from Malgenome Project and 741 good samples are taken from Google Android Market. The detection rate is 96%.

Conclusion

Malware Detection is the important key for the security of the Android Operating System. The number of malwares is increasing day by day so there is a need of new malware detection techniques which can detect malwares more securely and accurately. Based on the comparative study of different Android Malware Detection Techniques each and every technique has its own benefits and limitations. In Samaneh different static features are classified into different categories but it cannot detect unknown malwares. In Wonjoo it has high malware detection rate but it is used only for detecting malwares based on SMS and MMS. In Manzhi it combines more than one features at a single level but it is more time, power and memory consuming. In Zi Wang it builds a DBN Network Model and provides deep analysis but it is very time consuming. In Zarni it provides security at installation time but it generates results only on the basis of manifest file. In Xiong it provides different contrasting permission patterns but it generates results only on the basis of manifest file. In Micheal it scalably analyses whether a particular application exhibits danger but it is more time consuming. In Daniel it enables identifying malicious applications directly on smart phone and is a light weight method but it is more time consuming. In Takasama[9] it logs the kernel messages and analyses them for malicious activity but it cannot detect unknown malware types. In Shuang it combines different permission at a single level but it generates results only on the basis of manifest file.

Based on the limitations of existing malware detection techniques it can be concluded that the detection techniques that uses static analysis are more time, power and resource consuming. Also they lack detection of the runtime behaviour of the applications. The detection techniques that uses dynamic analysis are more resource consuming and also cannot detect unknown malware types. The detection techniques that uses hybrid analysis are accurate and scalable but more time power and resource consuming. A hybrid malware detection technique must be proposed which will address all the limitations of static and dynamic analysis approaches. This technique will be based on generic malware detection. This technique first will perform static analysis on the local device and then will perform dynamic analysis on a remote server. So it will be able to detect more malwares accurately and it will also consume less time, power and resources.